Ensure blocking alerts are always shown and update related test

Author: jdalton

package.json

@@ -60,7 +60,7 @@
     "bs": "npm run build:dist; npm exec socket --",
     "s": "npm exec socket --",
     "test": "run-s check test:*",
-    "test:prepare": "cross-env VITEST=1 npm run build",
+    "test:prepare": "cross-env VITEST=1 npm run build && del-cli 'test/**/node_modules'",
     "test:unit": "vitest --run",
     "test:unit:update": "vitest --run --update",
     "test:unit:coverage": "vitest run --coverage",

src/commands/fix/npm-fix.ts

@@ -53,7 +53,7 @@ export async function npmFix(
     include: {
       existing: true,
       unfixable: false,
-      upgrade: false
+      upgradable: false
     }
   })
 

src/commands/fix/pnpm-fix.ts

@@ -48,7 +48,7 @@ export async function pnpmFix(
     include: {
       existing: true,
       unfixable: false,
-      upgrade: false
+      upgradable: false
     }
   })
 

src/shadow/npm/arborist/lib/arborist/index.ts

@@ -84,22 +84,10 @@ export class SafeArborist extends Arborist {
       __proto__: null,
       ...(args.length ? args[0] : undefined)
     } as ArboristReifyOptions
-    if (
-      options.dryRun ||
-      options['yes'] ||
-      // Lazily access constants.ENV[SOCKET_CLI_ACCEPT_RISKS].
-      constants.ENV[SOCKET_CLI_ACCEPT_RISKS]
-    ) {
-      return await this[kRiskyReify](...args)
-    }
     const binName = await getIpc(SOCKET_CLI_SAFE_WRAPPER)
     if (!binName) {
       return await this[kRiskyReify](...args)
     }
-    const isSafeNpm = binName === NPM
-    const isSafeNpx = binName === NPX
-    // Lazily access constants.spinner.
-    const { spinner } = constants
     await super.reify(
       {
         ...options,
@@ -109,17 +97,33 @@ export class SafeArborist extends Arborist {
       // @ts-ignore: TS gets grumpy about rest parameters.
       ...args.slice(1)
     )
+    // Lazily access constants.spinner.
+    const { spinner } = constants
+    const isSafeNpm = binName === NPM
+    const isSafeNpx = binName === NPX
     const alertsMap = await getAlertsMapFromArborist(this, {
       spinner,
-      include: {
-        existing: isSafeNpx,
-        unfixable: isSafeNpm
-      }
+      include:
+        options.dryRun ||
+        options['yes'] ||
+        // Lazily access constants.ENV[SOCKET_CLI_ACCEPT_RISKS].
+        constants.ENV[SOCKET_CLI_ACCEPT_RISKS]
+          ? {
+              blocked: true,
+              critical: false,
+              cve: false,
+              unfixable: false
+            }
+          : {
+              existing: isSafeNpx,
+              unfixable: isSafeNpm
+            }
     })
     if (alertsMap.size) {
+      process.exitCode = 1
       logAlertsMap(alertsMap, { output: process.stderr })
       throw new Error(
-        `Socket ${binName} exiting due to risks.\nRerun with the environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1 to accept the risks of installing these packages.`
+        `Socket ${binName} exiting due to risks.\nRerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1 to accept risks.`
       )
     } else {
       logger.success(`Socket ${binName} found no risks!`)

src/utils/lockfile/package-lock-json.ts

@@ -18,7 +18,7 @@ import { addArtifactToAlertsMap } from '../socket-package-alert'
 import type { Diff } from '../../shadow/npm/arborist/lib/arborist/types'
 import type { SafeEdge } from '../../shadow/npm/arborist/lib/edge'
 import type { SafeNode } from '../../shadow/npm/arborist/lib/node'
-import type { AlertsByPkgId } from '../socket-package-alert'
+import type { AlertIncludeFilter, AlertsByPkgId } from '../socket-package-alert'
 import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 
 type Packument = Exclude<
@@ -184,15 +184,7 @@ export function findPackageNodes(
   return matches
 }
 
-type AlertIncludeFilter = {
-  critical?: boolean | undefined
-  cve?: boolean | undefined
-  existing?: boolean | undefined
-  unfixable?: boolean | undefined
-  upgrade?: boolean | undefined
-}
-
-type GetAlertsMapFromArboristOptions = {
+export type GetAlertsMapFromArboristOptions = {
   consolidate?: boolean | undefined
   include?: AlertIncludeFilter | undefined
   spinner?: Spinner | undefined
@@ -210,11 +202,12 @@ export async function getAlertsMapFromArborist(
 
   const include = {
     __proto__: null,
+    blocked: true,
     critical: true,
     cve: true,
     existing: false,
     unfixable: true,
-    upgrade: false,
+    upgradable: false,
     ..._include
   } as AlertIncludeFilter
 
@@ -252,8 +245,9 @@ export async function getAlertsMapFromArborist(
   const sockSdk = await setupSdk(getPublicToken())
 
   const toAlertsMapOptions = {
-    overrides,
-    ...options
+    ...options,
+    include,
+    overrides
   }
 
   for await (const batchPackageFetchResult of sockSdk.batchPackageStream(

src/utils/lockfile/pnpm-lock-yaml.ts

@@ -4,19 +4,11 @@ import { getPublicToken, setupSdk } from '../sdk'
 import { addArtifactToAlertsMap } from '../socket-package-alert'
 
 import type { CompactSocketArtifact } from '../alert/artifact'
-import type { AlertsByPkgId } from '../socket-package-alert'
+import type { AlertIncludeFilter, AlertsByPkgId } from '../socket-package-alert'
 import type { Lockfile } from '@pnpm/lockfile-file'
 import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 
-type AlertIncludeFilter = {
-  critical?: boolean | undefined
-  cve?: boolean | undefined
-  existing?: boolean | undefined
-  unfixable?: boolean | undefined
-  upgrade?: boolean | undefined
-}
-
-type GetAlertsMapFromPnpmLockfileOptions = {
+export type GetAlertsMapFromPnpmLockfileOptions = {
   consolidate?: boolean | undefined
   include?: AlertIncludeFilter | undefined
   spinner?: Spinner | undefined
@@ -34,11 +26,12 @@ export async function getAlertsMapFromPnpmLockfile(
 
   const include = {
     __proto__: null,
+    blocked: true,
     critical: true,
     cve: true,
     existing: false,
     unfixable: true,
-    upgrade: false,
+    upgradable: false,
     ..._include
   } as AlertIncludeFilter